<!DOCTYPE html>
<html lang="zh-CN">





<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="/img/apple-touch-icon.png">
  <link rel="icon" type="image/png" href="/img/favicon.png">
  <meta name="viewport"
        content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
  <meta name="description" content="安全行业从业者，主要方向PC逆向附带安卓和Linux逆向，时不时喜欢写点BUG代码">
  <meta name="author" content="Cray">
  <meta name="keywords" content="">
  <title>白利用挖矿程序 ~ 逆向安全博客</title>

  <link rel="stylesheet" href="https://cdn.staticfile.org/font-awesome/5.12.1/css/all.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/css/bootstrap.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/mdbootstrap/4.13.0/css/mdb.min.css"  >
<link rel="stylesheet" href="https://cdn.staticfile.org/github-markdown-css/3.0.1/github-markdown.min.css"  >

<link rel="stylesheet" href="//at.alicdn.com/t/font_1067060_qzomjdt8bmp.css">



  <link rel="stylesheet" href="/lib/prettify/tomorrow.min.css"  >

<link rel="stylesheet" href="/css/main.css"  >


  <link rel="stylesheet" href="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.css"  >


<meta name="generator" content="Hexo 5.2.0"></head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">


    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/">首页</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/archives/">归档</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/tags/">标签</a>
          </li>
        
          
          
          
          
          <li class="nav-item">
            <a class="nav-link" href="/links/">友链</a>
          </li>
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" data-toggle="modal" data-target="#modalSearch">&nbsp;&nbsp;<i
                class="iconfont icon-search"></i>&nbsp;&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="view intro-2" id="background" false
      style="background: url('https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728104055287.png') no-repeat center center;
      background-size: cover;">
    
        <div class="full-bg-img">
        <div class="mask rgba-black-light flex-center">
          <div class="container text-center white-text fadeInUp">
            <span class="h2" id="subtitle">
              
                白利用挖矿程序
              
            </span>

            
              <br>
              

              <p>
                
                  
                  &nbsp;<i class="far fa-chart-bar"></i>
                  <span class="post-count">
                    503 字
                  </span>&nbsp;
                

                
                  
                  &nbsp;<i class="far fa-clock"></i>
                  <span class="post-count">
                      2 分钟
                  </span>&nbsp;
                

                
                  <!-- 不蒜子统计文章PV -->
                  
                  &nbsp;<i class="far fa-eye" aria-hidden="true"></i>&nbsp;
                  <span id="busuanzi_container_page_pv">
                    <span id="busuanzi_value_page_pv"></span> 次
                  </span>&nbsp;
                
              </p>
            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid">
  <div class="row">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-md">
      <div class="py-5 z-depth-3" id="board">
        <div class="post-content mx-auto" id="post">
          <div class="markdown-body">
            <h3 id="分析恶意msi-dll"><a href="#分析恶意msi-dll" class="headerlink" title="分析恶意msi.dll"></a>分析恶意msi.dll</h3><p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728104055287.png" srcset="/img/loading.gif" alt="image-20200728104055287"></p>
<p>恶意代码主要写在 <code>DllEntryPoint</code></p>
<p>其他的导出函数都仅仅是写了实现（无任何有效代码），实际效果是直接ret</p>
<p><code>DllEntryPoint</code>头部代码是手写的shellcode</p>
<p>主要效果是手动导入tv_w32.dll，使用</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728111751983.png" srcset="/img/loading.gif" alt="image-20200728111751983"></p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728113549219.png" srcset="/img/loading.gif" alt="image-20200728113549219"></p>
<p>tb.payeermine.com/update.php是一个更新页面，不同参数返回不同软件下载链接</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728133420177.png" srcset="/img/loading.gif" alt="image-20200728133420177"></p>
<p>相同参数，访问多次，有三种不同的可执行程序返回</p>
<p>/update.php?id=201988239&amp;stat=25ede34c14feb8dc645d3fa58710b636 </p>
<h4 id="第一种：zbs-exe"><a href="#第一种：zbs-exe" class="headerlink" title="第一种：zbs.exe"></a>第一种：zbs.exe</h4><table>
<thead>
<tr>
<th align="center">Type</th>
<th align="center">Value</th>
</tr>
</thead>
<tbody><tr>
<td align="center">md5</td>
<td align="center">0904ADD71C8B1B59D251C3CC8E0D3841</td>
</tr>
<tr>
<td align="center">FileName</td>
<td align="center">Copy Text Everything Wild</td>
</tr>
<tr>
<td align="center">报告时间</td>
<td align="center">2020年7月28日 13点</td>
</tr>
</tbody></table>
<p>查壳VMP，直接动态分析，在本地虚拟机会被检测，上传any.run看效果</p>
<p>访问C2地址，上传盗取本地敏感信息</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728134106903.png" srcset="/img/loading.gif" alt="image-20200728134106903"></p>
<h4 id="第二种：bufera-exe"><a href="#第二种：bufera-exe" class="headerlink" title="第二种：bufera.exe"></a>第二种：bufera.exe</h4><table>
<thead>
<tr>
<th align="center">Type</th>
<th align="center">Value</th>
</tr>
</thead>
<tbody><tr>
<td align="center">md5</td>
<td align="center">92CEC63E095BE5BEB1029220CB585144</td>
</tr>
<tr>
<td align="center">报告时间</td>
<td align="center">2020年7月28日 13点</td>
</tr>
</tbody></table>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728151214184.png" srcset="/img/loading.gif" alt="image-20200728151214184"></p>
<p>例如第一个的地址<code>1GuxVaa3QqeyXGc13MFzmasMRK7HZwbA18</code>，当检测到用户当前剪切板是比特币地址，就修改为木马作者的地址。</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728151232078.png" srcset="/img/loading.gif" alt="image-20200728151232078"></p>
<p>有很多类型的币，不一一列举，地址写在IOC中</p>
<h4 id="第三种：serv-exe"><a href="#第三种：serv-exe" class="headerlink" title="第三种：serv.exe"></a>第三种：serv.exe</h4><table>
<thead>
<tr>
<th align="center">Type</th>
<th align="center">Value</th>
</tr>
</thead>
<tbody><tr>
<td align="center">md5</td>
<td align="center">E66275001BA64DB5D3FA293F6F4C152F</td>
</tr>
<tr>
<td align="center">FileName</td>
<td align="center">B.exe</td>
</tr>
<tr>
<td align="center">报告时间</td>
<td align="center">2020年7月28日 13点</td>
</tr>
</tbody></table>
<p>C#程序，dnSpy动态调试如下，如果是第一次运行，则释放文件到<code>%TMP%s\svchost.exe</code>并执行</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728154759653.png" srcset="/img/loading.gif" alt="image-20200728154759653"></p>
<p>互斥值： {6XTK1NMX-887338-6D1RGU-6D1RGUTDIS}</p>
<p>持久化：</p>
<p>software\microsoft\windows\currentversion\run</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728162215550.png" srcset="/img/loading.gif" alt="image-20200728162215550"></p>
<p>后续分析为一个远控<img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728162508138.png" srcset="/img/loading.gif" alt="image-20200728165005812"></p>
<p>循环上传数据及接收C2的指令</p>
<p>C2地址为：cob.payeermine.com:9999</p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728162439222.png" srcset="/img/loading.gif" alt="image-20200728162439222"></p>
<p><img src="https://gitee.com/cve/BlogImg/raw/master/typora/image-20200728165005812.png" srcset="/img/loading.gif" alt="image-20200728162508138"></p>
<h3 id="IOC"><a href="#IOC" class="headerlink" title="IOC:"></a>IOC:</h3><table>
<thead>
<tr>
<th align="center">Type</th>
<th align="center">Value</th>
</tr>
</thead>
<tbody><tr>
<td align="center">虚拟币地址</td>
<td align="center">1GuxVaa3QqeyXGc13MFzmasMRK7HZwbA18</td>
</tr>
<tr>
<td align="center">虚拟币地址</td>
<td align="center">0x9115a0A114C25fde83551468593E76Ba482152</td>
</tr>
<tr>
<td align="center">虚拟币地址</td>
<td align="center">47hVqg4ztcXE8dBe8JP6Q4KGu6FosHMUZNxkqi2EVXuCcfwkhKjrfxvL8E2X5vy4Mb8KihxnMEsoDXP8fV647yeARRhsv5C</td>
</tr>
<tr>
<td align="center">虚拟币地址</td>
<td align="center">DE9eDoKAByRh8K1HraQXAsuqRm3BBx4b3g</td>
</tr>
<tr>
<td align="center">虚拟币地址</td>
<td align="center">XpuowbrW6eS8pe4FxdAniHdiSpmqE6XD1S</td>
</tr>
<tr>
<td align="center">虚拟币地址</td>
<td align="center">XpuowbrW6eS8pe4FxdAniHdiSpmqE6XD1S</td>
</tr>
<tr>
<td align="center">虚拟币地址</td>
<td align="center">t1Y6Qmv4prxQo1UM8wBp5FobbcELrNfG2q1</td>
</tr>
<tr>
<td align="center">C2</td>
<td align="center">104.18.57.14</td>
</tr>
<tr>
<td align="center">C2</td>
<td align="center">cob.payeermine.com:9999</td>
</tr>
<tr>
<td align="center">恶意文件</td>
<td align="center">http[:]//tb.payeermine.com/update.php</td>
</tr>
<tr>
<td align="center">恶意文件</td>
<td align="center">http[:]//liskcrypto.top/bufera.exe</td>
</tr>
<tr>
<td align="center">恶意文件</td>
<td align="center">http[:]//liskcrypto.top/serv.exe</td>
</tr>
<tr>
<td align="center">恶意文件</td>
<td align="center">https[:]//liskcrypto.top/zbs.exe</td>
</tr>
</tbody></table>
<h3 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h3><p>这是相当活跃的病毒，收益虽然不多，但是隐藏的较好。病毒作者大概率为韩国人，在外伪装成基于MPEG编码的视频解码器传播。</p>

            <hr>
          </div>
          <br>
          <div>
            <p>
            
            
              <span>
                <i class="iconfont icon-tag"></i>
                
                  <a class="hover-with-bg" href="/tags/%E6%9C%A8%E9%A9%AC/">木马</a>
                
              </span>
            
            </p>
            
              <p class="note note-warning">本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://zh.wikipedia.org/wiki/Wikipedia:CC_BY-SA_3.0%E5%8D%8F%E8%AE%AE%E6%96%87%E6%9C%AC" rel="nofollow noopener noopener">CC BY-SA 3.0协议</a> 。转载请注明出处！</p>
            
          </div>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container">
        <div id="toc">
  <p class="h5"><i class="far fa-list-alt"></i>&nbsp;目录</p>
  <div id="tocbot"></div>
</div>
      </div>
    
  </div>
</div>

<!-- custom -->


<!-- Comments -->
<div class="col-lg-7 mx-auto nopadding-md">
  <div class="container comments mx-auto" id="comments">
    
      <br><br>
      
      
  <div class="disqus" style="width:100%">
    <div id="disqus_thread"></div>
    <script>
      var disqus_config = function () {
        this.page.url = 'http://cve.gitee.io/cve/2020/08/10/基本信息/';
        this.page.identifier = '/2020/08/10/基本信息/';
      };
      var oldLoad = window.onload;
      window.onload = function () {
        var d = document, s = d.createElement('script');
        s.type = 'text/javascript';
        s.src = '//' + 'crayon-1' + '.disqus.com/embed.js';
        s.setAttribute('data-timestamp', +new Date());
        (d.head || d.body).appendChild(s);
      };
    </script>
    <noscript>Please enable JavaScript to view the <a target="_blank" href="https://disqus.com/?ref_noscript" rel="nofollow noopener noopener">comments
        powered by Disqus.</a></noscript>
  </div>


    
  </div>
</div>

    
  </main>

  
    <a class="z-depth-1" id="scroll-top-button" href="#" role="button">
      <i class="fa fa-chevron-up scroll-top-arrow" aria-hidden="true"></i>
    </a>
  

  
    <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
  

  <footer class="mt-5">
  <div class="text-center py-3">
    <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><b>Hexo</b></a>
    <i class="iconfont icon-love"></i>
    <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"> <b>Fluid</b></a>
    <br>

    
  
    <!-- 不蒜子统计PV -->
    
    &nbsp;<span id="busuanzi_container_site_pv"></span>总访问量 
          <span id="busuanzi_value_site_pv"></span> 次&nbsp;
  
  
    <!-- 不蒜子统计UV -->
    
    &nbsp;<span id="busuanzi_container_site_uv"></span>总访客数 
            <span id="busuanzi_value_site_uv"></span> 人&nbsp;
  
  <br>



    


    <!-- cnzz Analytics icon -->
    

  </div>
</footer>

<!-- SCRIPTS -->
<script src="https://cdn.staticfile.org/jquery/3.4.1/jquery.min.js" ></script>
<script src="https://cdn.staticfile.org/popper.js/1.16.1/umd/popper.min.js" ></script>
<script src="https://cdn.staticfile.org/twitter-bootstrap/4.4.1/js/bootstrap.min.js" ></script>
<script src="https://cdn.staticfile.org/mdbootstrap/4.13.0/js/mdb.min.js" ></script>
<script src="/js/main.js" ></script>


  <script src="/js/lazyload.js" ></script>



  
  <script src="https://cdn.staticfile.org/tocbot/4.10.0/tocbot.min.js" ></script>
  <script>
    $(document).ready(function () {
      var navHeight = $('#navbar').height();
      var toc = $('#toc');
      var main = $('main');
      var tocT = navHeight + (toc.offset().top - main.offset().top);
      var tocLimMin = main.offset().top - navHeight;
      var tocLimMax = $('#comments').offset().top - navHeight;
      $(window).scroll(function () {
        var scroH = document.body.scrollTop + document.documentElement.scrollTop;
        if (tocLimMin <= scroH && scroH <= tocLimMax) {
          toc.css({
            'display': 'block',
            'position': 'fixed',
            'top': tocT,
          });
        } else if (scroH <= tocLimMin) {
          toc.css({
            'position': '',
            'top': '',
          });
        } else if (scroH > tocLimMax) {
          toc.css('display', 'none');
        }
      });
      tocbot.init({
        tocSelector: '#tocbot',
        contentSelector: '.post-content',
        headingSelector: 'h1,h2,h3,h4,h5,h6',
        linkClass: 'tocbot-link',
        activeLinkClass: 'tocbot-active-link',
        listClass: 'tocbot-list',
        isCollapsedClass: 'tocbot-is-collapsed',
        collapsibleClass: 'tocbot-is-collapsible',
        scrollSmooth: true,
      });
      if ($('.toc-list-item').length > 0) {
        $('#toc > p').css('visibility', 'visible');
      }
    });
  </script>







  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" ></script>


<!-- Plugins -->



  <script src="https://cdn.staticfile.org/prettify/188.0.0/prettify.min.js" ></script>
  <script>
    $(document).ready(function () {
      $('pre').addClass('prettyprint  linenums');
      prettyPrint();
    })
  </script>





  <script src="https://cdn.staticfile.org/anchor-js/4.2.2/anchor.min.js" ></script>
  <script>
    anchors.options = {
      placement: "right",
      visible: "hover",
      
    };
    var el = "h1,h2,h3,h4,h5,h6".split(",");
    var res = [];
    for (item of el) {
      res.push(".markdown-body > " + item)
    }
    anchors.add(res.join(", "))
  </script>



  <script src="/js/local-search.js" ></script>
  <script>
    var path = "/local-search.xml";
    var inputArea = document.querySelector("#local-search-input");
    inputArea.onclick = function () {
      getSearchFile(path);
      this.onclick = null
    }
  </script>



  <script src="https://cdn.staticfile.org/fancybox/3.5.7/jquery.fancybox.min.js" ></script>
  <script>
    $("#post img:not(.no-zoom img, img[no-zoom])").each(
      function () {
        var element = document.createElement("a");
        $(element).attr("data-fancybox", "images");
        $(element).attr("href", $(this).attr("src"));
        $(this).wrap(element);
      }
    );
  </script>












</body>
</html>
